diff --git a/packages/@aws-cdk/aws-cloudfront/lib/cache-policy.ts b/packages/@aws-cdk/aws-cloudfront/lib/cache-policy.ts
index 18924ade79748..e9dbf46901eda 100644
--- a/packages/@aws-cdk/aws-cloudfront/lib/cache-policy.ts
+++ b/packages/@aws-cdk/aws-cloudfront/lib/cache-policy.ts
@@ -231,6 +231,9 @@ export class CacheHeaderBehavior {
     if (headers.length === 0) {
       throw new Error('At least one header to allow must be provided');
     }
+    if (headers.length > 10) {
+      throw new Error(`Maximum allowed headers in Cache Policy is 10; got ${headers.length}.`);
+    }
     return new CacheHeaderBehavior('whitelist', headers);
   }
 
diff --git a/packages/@aws-cdk/aws-cloudfront/test/cache-policy.test.ts b/packages/@aws-cdk/aws-cloudfront/test/cache-policy.test.ts
index 66b5fa80d5749..4f6d618c51621 100644
--- a/packages/@aws-cdk/aws-cloudfront/test/cache-policy.test.ts
+++ b/packages/@aws-cdk/aws-cloudfront/test/cache-policy.test.ts
@@ -96,6 +96,17 @@ describe('CachePolicy', () => {
     expect(() => new CachePolicy(stack, 'CachePolicy6', { cachePolicyName: 'My_Policy' })).not.toThrow();
   });
 
+  test('throws if more than 10 CacheHeaderBehavior headers are being passed', () => {
+    const errorMessage = /Maximum allowed headers in Cache Policy is 10; got (.*?)/;
+    expect(() => new CachePolicy(stack, 'CachePolicy1', {
+      headerBehavior: CacheHeaderBehavior.allowList('Lorem', 'ipsum', 'dolor', 'sit', 'amet', 'consectetur', 'adipiscing', 'elit', 'sed', 'do', 'eiusmod'),
+    })).toThrow(errorMessage);
+
+    expect(() => new CachePolicy(stack, 'CachePolicy2', {
+      headerBehavior: CacheHeaderBehavior.allowList('Lorem', 'ipsum', 'dolor', 'sit', 'amet', 'consectetur', 'adipiscing', 'elit', 'sed', 'do'),
+    })).not.toThrow();
+  });
+
   test('does not throw if cachePolicyName is a token', () => {
     expect(() => new CachePolicy(stack, 'CachePolicy', {
       cachePolicyName: Aws.STACK_NAME,